MailChimp’s Login, Olark, Kaneva Sign-in Page Open Redirect Vulnerability

MailChimp’s Login Page Open Redirect Vulnerability

From:
Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]
When a user clicks the URL ([1]) before login, the MailChimp “login page” appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage different from MailChimp.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(1) I will use the following tests to illustrate the scenario I painted above.
The redirected webpage address is “http://www.tetraph.com/essayjeans/poems/thatday.html”. It’s one of my webpages. We can suppose that this webpage is malicious.

Olark Open Redirect Vulnerability

The vulnerability can be attacked without user login. My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(1) I will use one of my webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/reflections/solitude.html“. We can suppose that this webpage is malicious.

Kaneva Sign-in Page Open Redirect Vulnerability

From: http://www.tetraph.com/blog/2014/04/kaneva-sign-page-open-redirect-vulnerability/

The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(1) I will use the following tests to illustrate the scenario I painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/street_artists/clark_quay.html“. It’s one of my webpages. We can suppose that this webpage is malicious.
Credit:
WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University.
Nanyang Technological University & University of Science and Technology of China & No.1 Middle School of Jiaonan (Huangdao)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s